Improper Authorization in minio - CVE-2021-41137

 

Improper Authorization in minio - CVE-2021-41137

Published: June 29, 2022


Vulnerability identifier: #VU64786
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-41137
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: MinIO
Affected software:
minio

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to policy restriction does not work properly for users who did not have service (svc) or security token service (STS) accounts. A remote user can bypass policy restrictions on regular users and execute arbitrary code on the target system.


How to mitigate CVE-2021-41137

Install updates from vendor's website.

Sources